FDA Issues Cybersecurity Action Plan for Agency IT Systems

The FDA has released an action plan to update its approach to internal cybersecurity, the Cybersecurity Modernization Action Plan (CMAP). This plan will improve the agency’s overall standing with respect to cyberthreats, which have increased by more than 450% over the volume experienced prior to the COVID-19 pandemic.

The agency’s cybersecurity standing is important to industry because of the increasing reliance on electronic filing of premarket applications and other regulatory filings. The FDA’s Center for Devices and Radiological Health announced Oct. 3 that its portal for electronic premarket applications is available for these filings, and that 510(k) submissions will have to be filed electronically as of Oct. 1, 2023. Any cybersecurity threat to the FDA could implicate the data found in these premarket applications, data that could include proprietary information and trade secrets.

FDA chief information officer Vid Desai and Craig Taylor, the FDA’s chief information security officer, said the increase in activity during the pandemic included reconnaissance activities, denials of service, and attempted exploitations of the FDA’s information technology (IT) infrastructure. These increases in activity resulted in a monthly volume of 9.5 billion firewall and intrusion detection blocks, threats that could lead to disclosure of sensitive proprietary data filed with the agency by manufacturers of pharmaceuticals and medical devices.

There are six key objectives listed in the CMAP, such as the establishment of the Zero Trust approach, which is a principle that any attempt to access an IT network requires authentication and continuous verification. The agency will leverage artificial intelligence and machine learning technologies to improve cybersecurity performance, and will prioritize and invest in its cybersecurity workforce.

The FDA CMAP project follows a May 2019 directive issued by the White House, Executive Order 13870, and a previous executive order that called for an increase in the U.S. government’s cybersecurity workforce. The notice states that the federal government was facing a shortage of cybersecurity talent and capability, but also that directors of federal government departments and agencies would be held accountable for managing the cybersecurity risks of those entities. Among the points of accountability is the recruitment and retention of cybersecurity staff, which can be enhanced with work-based learnings and apprenticeships.

The FDA’s Office of Digital Transformation (ODT) will direct the implementation of the CMAP plan, which will reduce the risks associated with data sharing with other federal government agencies and with the private sector. The plan specifically cites the unauthorized disclosure of U.S. federal government cybersecurity tools as another source of cybersecurity risk because of an associated proliferation of capabilities that were previously held only by national intelligence services.

As part of the implementation of a Zero Trust paradigm, the FDA will require the use of multi-factor authentication and encryption, although this implementation will be conducted in an incremental approach that prioritizes the highest risk vulnerabilities. The highest priority will be data and information protection, followed by development of innovative cybersecurity technologies for the FDA’s IT systems. The four remaining priorities are vulnerability management, risk and compliance, customer engagement/workforce development, and counterintelligence and insider threat.

The CMAP program entails the deployment of a network defense implementation plan that consists of three key areas, starting with coordination and oversight of the implementation plan. The second key area is development of five primary pillars of Zero Trust, starting with robust identity credentials, access management tools, and multi-factor authentication. The second primary pillar calls for implementation of monitoring and other technical capabilities in laptop computers and computer workstations, while the third pillar focuses on network-wide security capabilities. The fourth and fifth primary pillars are technologies for monitoring network applications to institute never-trust/always-verify methods, and safeguards for data, including data encryption and data loss prevention techniques.

Three support pillars will also be implemented, such as the use of analytics for real-time data monitoring that will more quickly identify anomalies that may carry cybersecurity implications. The second support pillar calls for the use of automation and orchestration of these capabilities that will provide FDA staff with the ability to react swiftly to cybersecurity threats, while the third support pillar requires the formation of a governance board that will ensure the appropriate leveraging of cybersecurity tools.